fix: separate Flyway and app datasource search paths for schema isolation
Flyway needs public in the search_path to access TimescaleDB extension functions (create_hypertable). The app datasource must NOT include public to prevent accidental cross-schema reads from production data. - spring.flyway.url: currentSchema=<branch>,public (extensions accessible) - spring.datasource.url: currentSchema=<branch> (strict isolation) - SPRING_FLYWAY_URL env var added to K8s base manifest Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -10,6 +10,7 @@ spring:
|
|||||||
flyway:
|
flyway:
|
||||||
enabled: true
|
enabled: true
|
||||||
locations: classpath:db/migration
|
locations: classpath:db/migration
|
||||||
|
url: jdbc:postgresql://localhost:5432/cameleer3?currentSchema=${CAMELEER_DB_SCHEMA:public},public
|
||||||
schemas: ${CAMELEER_DB_SCHEMA:public}
|
schemas: ${CAMELEER_DB_SCHEMA:public}
|
||||||
default-schema: ${CAMELEER_DB_SCHEMA:public}
|
default-schema: ${CAMELEER_DB_SCHEMA:public}
|
||||||
mvc:
|
mvc:
|
||||||
|
|||||||
@@ -22,6 +22,8 @@ spec:
|
|||||||
env:
|
env:
|
||||||
- name: SPRING_DATASOURCE_URL
|
- name: SPRING_DATASOURCE_URL
|
||||||
value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=$(CAMELEER_DB_SCHEMA)"
|
value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=$(CAMELEER_DB_SCHEMA)"
|
||||||
|
- name: SPRING_FLYWAY_URL
|
||||||
|
value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=$(CAMELEER_DB_SCHEMA),public"
|
||||||
- name: CAMELEER_DB_SCHEMA
|
- name: CAMELEER_DB_SCHEMA
|
||||||
value: "public"
|
value: "public"
|
||||||
- name: SPRING_DATASOURCE_USERNAME
|
- name: SPRING_DATASOURCE_USERNAME
|
||||||
|
|||||||
Reference in New Issue
Block a user